IETF Logo Mail Archive

Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2

Ryan Sleevi <ryan-ietftls@sleevi.com> Fri, 24 March 2017 16:31 UTC

Return-Path: <ryan-ietftls@sleevi.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03A2F1297E9 for <tls@ietfa.amsl.com>; Fri, 24 Mar 2017 09:31:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.695
X-Spam-Level:
X-Spam-Status: No, score=-4.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WlO2qTqy7-3N for <tls@ietfa.amsl.com>; Fri, 24 Mar 2017 09:31:25 -0700 (PDT)
Received: from homiemail-a89.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDBB61294CF for <tls@ietf.org>; Fri, 24 Mar 2017 09:31:25 -0700 (PDT)
Received: from homiemail-a89.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTP id 43732C00271F for <tls@ietf.org>; Fri, 24 Mar 2017 09:31:25 -0700 (PDT)
Received: from mail-lf0-f46.google.com (mail-lf0-f46.google.com [209.85.215.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTPSA id 0A7FAC00271C for <tls@ietf.org>; Fri, 24 Mar 2017 09:31:25 -0700 (PDT)
Received: by mail-lf0-f46.google.com with SMTP id j90so3240930lfk.2 for <tls@ietf.org>; Fri, 24 Mar 2017 09:31:24 -0700 (PDT)
X-Gm-Message-State: AFeK/H3vKmmquarQMPol3KOltZgZlWjBHR0hYr+dtX2VOBDT5GqgJygfGw59yC9DpZm9pHSKtlMtu0Kk8u1jOA==
X-Received: by 10.25.157.65 with SMTP id g62mr5079441lfe.29.1490373083114; Fri, 24 Mar 2017 09:31:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.193.197 with HTTP; Fri, 24 Mar 2017 09:31:22 -0700 (PDT)
In-Reply-To: <7970606B-0096-475D-8842-2A14E5168413@dukhovni.org>
References: <E6C9F0E527F94F4692731382340B337846DD1B@DENBGAT9EH2MSX.ww902.siemens.net> <1490317199552.71745@cs.auckland.ac.nz> <52C6D0EF-D6AC-484A-9096-BDAE5C870F82@dukhovni.org> <CABkgnnVS-0vh_fPVQVnq6YxxrYNQ1=+90Ct8CmUocJf7R6k4bA@mail.gmail.com> <7970606B-0096-475D-8842-2A14E5168413@dukhovni.org>
From: Ryan Sleevi <ryan-ietftls@sleevi.com>
Date: Fri, 24 Mar 2017 12:31:22 -0400
X-Gmail-Original-Message-ID: <CAErg=HEzxHttSOk5Kx=-0qsd3_XWfkVzf_UHZ=YVC6EBctVErQ@mail.gmail.com>
Message-ID: <CAErg=HEzxHttSOk5Kx=-0qsd3_XWfkVzf_UHZ=YVC6EBctVErQ@mail.gmail.com>
To: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11411ca233d001054b7c8650"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1wM2GeU-qs5-eITWGnLnAlzhQpk>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 16:31:28 -0000

On Fri, Mar 24, 2017 at 1:23 AM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
> > On Mar 24, 2017, at 1:08 AM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
> >
> >> I've never seen
> >> a TLS server that has multiple chains to choose from for the same
> >> server identity.
>
> Both chains of course use SHA256.
>
> Sorry I meant to say multiple digest algorithms for otherwise
> identical chains (same public key algorithm and server name).
>
> Even in the SMTP space some servers have both RSA and ECDSA certs.
> When that's the case, cipher negotiation ensures that the selected
> EE certificate's public key algorithm is mutually supported.
>
> There's still little need to pay attention to the client's signature
> algorithms in choosing the EE-certificate and associated chain.
>

Cloudflare does with the SHA-1 and SHA-256 support (
https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/ )

Google has a certificate chain that supports only SHA-256 (if you trust
GeoTrust) or which supports SHA-256 and SHA-1 (if you only trust Equifax,
and require the cross-sign). For example, OpenSSL without the ALT_CHAINS
fix of 1.0.2 would prefer the Equifax path over the GeoTrust path.

There are plenty of large CAs with complex cross-signs that introduce
additional digest algorithms at the intermediate level, and the server can
influence that path validation by using the signature algorithms (although
few do).

I would say that the vast majority of servers deployed on the Internet
using commonly publicly trusted CAs have more than one chain to choose from
- often dependent on the installed trust anchors - but the servers may
simply not be aware of it, and relying on clients to do the needful (for
example, with AIA fetching). The delta of sites that don't work in Firefox
(when SHA-1 is disabled) compared to Chrome (when SHA-1 is disabled)
illustrate this - as Chrome performs the AIA fetching to find the
alternative SHA-256 paths, while Firefox does not, and requires the server
supply them.

Similarly, a given server may have paths where the leaf uses SHA-256, but
intermediates use either SHA-256 or SHA-384 dependent upon the trust anchor
it is rooted in.

v2.23.0 | Report a Bug | By Email